Hotels Hit By Malware

by Raymond Pucci 0

Some hotel guests who stayed at various US hotels may have had their credit and debit card data hacked. As the following article describes, HEI Hospitality reports that 20 of their hotel properties discovered malware on their point-of-sale systems.

Customers at 20 US hotels may have had their credit card details exposed to hackers after malware was discovered on the properties’ point-of-sale (POS) systems.

The hotels are run by a hotel management business, HEI Hotels and Resorts, but operate under big-name brands like Marriott, Hyatt and InterContinental Hotels Group (IHG).

According to a statement from HEI, those at risk would have used their credit or debit cards to pay for services at the hotel properties, such as purchasing food or drink. The organisation has not stated whether or not POS transactions for accommodation have been affected.

Data stolen could include customer names and card account numbers, expiration dates and three-digit verification (CSV/CVV) codes.

The company added: “HEI was recently alerted to a potential security incident by its card processor. Based upon an extensive forensic investigation, it appears that unauthorised individuals installed malicious software on our payment processing systems at certain properties designed to capture payment card information as it was routed through these systems.”

HEI is treating the incident as “top priority” and has managed to disable the malware. It is now in the process of reconfiguring and enhancing the security protocols of its network and payment systems. Law enforcement has also been informed.

Chris Daly, a spokesman for HEI, told Reuters over 20,000 transactions may have been affected by the malware. However, it’s difficult to accurately calculate how many individuals or cards may be affected, he said, as multiple transactions may have legitimately been carried out on a single card.

IT Pro contacted the affected hotel chains but had not received a response at the time of publication. However, a full list of affected properties can be found here.

This is not the first (and will not be the last) malware attack on the hospitality industry. The expansiveness of most hotel and resort properties with multiple POS locations could allow hackers to compromise POS terminals that sometimes may be unattended. The real question becomes how less vulnerable will POS transactions become once EMV and other security measures become universally operational.

Overview by Raymond Pucci, Associate Director, Research Service at Mercator Advisory Group

Read the full story here